W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Request for input on Foreign Fetch

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 27 Jan 2016 11:08:28 -0800
Message-ID: <CADnb78hbSWv-ecU_midem-SxJYw82Stbon6KswPheCoi593EUA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marijn Kruisselbrink <mek@google.com>
On Wed, Jan 27, 2016 at 9:52 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 28 January 2016 at 01:25, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> When I hear "CORS", I think "Will the foreignorigin's service worker be able
>>> to respond to OPTIONS requests?" because that sounds dangerous. I assume
>>> preflights will continue to skip both service workers?
>> Yes. Opting into foreign fetch is the equivalent of OPTIONS.
> It's the middle of the night, but this doesn't parse.  If foreign
> fetch is the equivalent of OPTIONS, then isn't it reasonable to permit
> intercept of OPTIONS requests?  Or omit the OPTIONS requests entirely
> in this case?

I meant the latter. We would not issue an OPTIONS fetch. CORS OPTIONS
is a check to see if the server is CORS-aware. Here the service worker
obviously is aware of cross-origin fetches.

Received on Wednesday, 27 January 2016 19:08:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC